Two networks on the same box

This post is one of a series of posts about OpenWRT hacking. My OpenNews friends [@malev][at_malev], [@gaba][at_gaba], and I have been doing a lot of research into OpenWRT, and we’re finally taking the time to write up our findings. All these posts are co-written. Hope you’ll enjoy!

Now that you know a little bit about the project (link to whatever), that you wan to share some of your Internet bandwidth (link) and that you know how to “un-brick” your PirateBox, why don’t we move one step forward in the craziness ad we setup two (yes two) different networks on your device. Let’s think on a private secured network and a open to the public network. Both on the same device! Keep in mind that since we are dealing with an unpowerful device we are going to be hammering our PirateBox. But … Why not?

By this point, you already have one WiFi network on your PirateBox. Connect to it via ssh (or telnet), and run ifconfig. You should see that the PirateBox has an IP address on the same subnet as your router. Now, open another terminal window, and run ifconfig on your own machine. You’ll notice that you have an IP address on that very same subnet. This isn’t a bad thing, but it presents a security hole if you plan on sharing your network, because any machine that connects to this network has access to the same stuff as your router does.

At this point, I’d like to ask you if you’ve enabled network encryption! If you have, your network is somewhat more secure because at least only people who know your password can have network access. But, boogey-man alert: passwords can be cracked! Anyway, I’m getting ahead of myself… Back to the subnet stuff.

Thankfully, we can create a new interface that will put connected devices on a different subnet. That way, your private network that you share with your router is kept apart from the network your guests are using. Let’s create this interface. Open up /etc/config/network and add a new interface similar to the one that describes your lan:

config interface 'for_guests'
option proto 'static'
option ipaddr '10.100.251.1' # or whatever you want your network to be (as long as its not the same as your private network!)
option netmask '255.255.255.0'

Now, let’s link up the interface we created to the radio by telling the wireless manifest about it. Pop open /etc/config/wireless and add after the lan description:

OK, now we do the important part: we set up our firewall to properly jail devices on our public network, restricting them to only what we want them to be allowed to do. Edit /etc/config/firewall accordingly: